Check: SRG-APP-000349-DNS-000043
Domain Name System (DNS) SRG:
SRG-APP-000349-DNS-000043
(in versions v4 r1 through v2 r4)
Title
The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer). (Cat II impact)
Discussion
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.
Check Content
Review the DNS server implementation configuration to determine if the DNS server validates the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer). If the DNS server does not validate the binding of the other DNS server's identity to the DNS information, this is a finding.
Fix Text
Configure the DNS server to validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
Additional Identifiers
Rule ID: SV-205198r987678_rule
Vulnerability ID: V-205198
Group Title: SRG-APP-000349
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
CCI-001904 |
Validate the binding of the information producer identity to the information at an organization-defined frequency. |